What to do when you see open Ports on Infotainment ? :
I am an experienced Vulnerability Researcher and Security Architect with 16+ years of experience in various verticals and horizontals, be it consumer electronics, semiconductors, automotive or other. Having started in software engineer in low-level embedded devices from writing applications to kernel drivers on various operating systems and then moving to my real calling i.e. hacking. Love to stick to the older golden days of game hacking, BBS, shareware, phreaking, phrack, virus era, metal music, cheats and many more such cool stuff from the underground. I wear many hats from time to time as necessary - but I also love to help people and organizations to deal with the core cybersecurity issues and not provide them a checklist with a presentation. Opinions and posts on my site are purely my own and do not reflect my work.
For our previous popular IVI(Hack) we use the same configuration but this time for a different IVI but from the same manufacturer but from an older era of QNX. The network diagram remains the same. The QConn exploit will also work here.
There is a specific service on this IVI that handles all aspects on Connectivity like features for ex: BT, WiFI, USB etc.
After a quick scan we see the below services.
Note: To avoid naming the vendor we change the actual service name to “hackle”
Hackle’s Monitoring Service:
hackle Monitor Service Port (2021) – Unauthorised monitoring of hackle’s GCF logs. Once we are in LAN with the HU (over WIFI/BT/Carrier n/w), we can arbitrarily monitor scp process’s GCF logs, and deduce logical calls for setting up the next log.
If you just wrote a simple python receiver on this port – you would be able to see some real-time data from hackle service as below.
There is no way in hackle to know who is monitoring our traffic. This exploit can be used to check the semantics of hackle’s GCF function calls and list them down, for next exploit. Traffic like WIFI AP password. For example, please see the below screen, with highlighted WIFI AP password.
And this can also be seen on Wireshark, as hackle send’s password’s in clear text.
Using above method we can collect a lot of GCF calls and can formulate our crafted GCF message and send it to hackle.
Hackle’s Code Execution Service:
This IVI does not have DBUS exposed on TCP/IP but it exposes another such service that can basically do the same things.
It has been observed even after disabling SAS port from PSS config, this exploit still works over 6010 or 6020. For Example we have obtained something like below:-
CALL EHMI:6000 Wlan_ConnMngr_enableAP interfaceName=’uap0′ keyindex=0 keylist={‘12345678’} encryption=0 authentication=0 channel=6 opMode=2 countryCode=2 ssid=‘Hackable’ wpsList={WPS_MODE_OFF} broadcast_on=1 filter_mode=0 mac_list={ };
Now we **disable the existing AP **with CALL EHMI:6000 Wlan_ConnMngr_disableAP interfaceName=’uap0′; And now we modify it to say, CALL EHMI:6000 Wlan_ConnMngr_enableAP interfaceName=’uap0′ keyindex=0 keylist={‘12345678′} encryption=0 authentication=0 channel=6 opMode=2 countryCode=2 ssid=‘DeepFried’ wpsList={WPS_MODE_OFF} broadcast_on=1filter_mode=0 mac_list={ };
See how easy it is to changed the AP password – Once this is done you no longer need the USB to Ethernet connection and can access the IVI over WiFi.
As HU and Exploit machine are on LAN, we can try to escalate privilege from hackle or any other service from the HU’s OS.
This is just another lame post whose research was done probably 8-9 years ago, before the jeep hack.
